JP3904421B2 - Remainder multiplication arithmetic unit - Google Patents

Description

[0001]
BACKGROUND OF THE INVENTION
INDUSTRIAL APPLICABILITY The present invention is effective when applied to an encoding and decryption device using modular multiplication and modular exponentiation, and in particular, an IC card ( The present invention relates to a technology that is effective when applied to a high-security data processing device such as a smart card.
[0002]
[Prior art]
  For mobile terminals such as GSM (Global Systems for Mobile communications) standard mobile phones widely used in Europe and smart cards, user authentication and electronic commerce (electric commerce) )It can be performed. Generally, when used as electronic money, it takes the form of an IC card, and in the case of GSM mobile radio (GSM mobile radiotelephone system), it takes a form called SIM (Subscriber Identification Module). . Both the SIM and the IC card are obtained by sticking a semiconductor chip with a terminal to a plastic plate, and the device itself is also a semiconductor chip. Therefore, the IC card will be described below.
  The IC card retains personal information that cannot be rewritten without permission, encrypts data using a cryptographic key that is secret information, and decrypts cipher text ( device that performs decryption). The IC card itself does not have a power supply, and when it is inserted into a reader / writer for the IC card (card reader / writer), it is supplied with power and can operate. When the operation becomes possible, a command transmitted from the reader / writer is received, and processing such as data transfer is performed according to the command. General explanations of IC cards can be found in “IC Card” written by Junichi Mizusawa, edited by the Institute of Electronics, Information and Communication Engineers, Ohm.
  As shown in FIG. 1, the IC card has a structure in which an IC card chip 102 is mounted on a card 101. As shown in the figure, an IC card generally has a supply voltage terminal Vcc, a ground terminal GND, a reset terminal RST, an input / output terminal I / O, and a clock terminal CLK at positions defined by the ISO7816 standard. , Supply power from the reader / writer and communicate data with the reader / writer (see W. Rank and Effing: SMARTCARD HANDBOOK, John Wiley & Sons, 1997, pp. 41).
  The IC card chip configuration is basically the same as an ordinary microcomputer. As shown in FIG. 2, the configuration consists of a central processing unit (CPU) 201, a memory device 204, an input / output (I / O) port 207, and a coprocessor 202 ( (There may not be a co-processor). The CPU 201 is a device that performs logical operations and arithmetic operations, and the storage device 204 is a device that stores programs and data. The input / output port is a device that communicates with the reader / writer. The co-processor is a device that performs cryptographic processing itself or computation necessary for cryptographic processing at high speed. For example, a special computing device for performing a remainder operation of RSA encryption or DES (Data Encryption Standard) processing There is a cryptographic device that performs. Many IC card processors do not have a co-processor. The data bus 203 is a bus for connecting each device.
  The storage device 204 includes a ROM (Read Only Memory), a RAM (Random Access Memory), an EEPROM (Electrical Erasable Programmable Read Only Memory), and the like. ROM is a memory that cannot be changed, and is a memory that mainly stores programs. RAM is a rewritable memory, but when the power supply is interrupted, the stored contents disappear. When the IC card is removed from the reader / writer, the power supply is interrupted and the RAM contents are not retained. The EEPROM is a memory that can retain the contents even when the power supply is interrupted. This memory needs to be rewritten and is used to store data that is retained even if the IC card is removed from the reader / writer. For example, the usage rate of a prepaid card is rewritten every time it is used, and it is necessary to retain data even if it is removed from the reader / writer, so it is retained in EEPROM.
  In order to realize user authentication and electronic money settlement, public key cryptography technology is required. Public key cryptography is used by embedding secret information in public information, and is also called asymmetric key cryptography because different keys are used on the transmission side and the reception side. There is RSA encryption as a public key encryption widely used at present. RSA ciphers are based on the fact that it is easy to generate a product of large prime numbers, but it is difficult to factor a given composite number. In RSA cryptography, Y ^ X mod N (Y ^ X is Y), using a public modulus N and a given cipher text Y with a secret exponent X Is calculated to obtain the plain text M, or the reverse operation is performed. This operation is called modular exponentiation.
  Here, since X, Y, N is a very large number of about 1024 bits to 2048 bits as of 2001, how to execute “Y ^ X mod N” at high speed, It has been regarded as a problem in the fields of applied mathematics and engineering. In particular, in a device with a limited storage capacity such as an IC card and a low CPU capacity, the power-residue operation is a very large task, and its high-speed operation is a very important issue. .
  Various algorithms for the power-residue calculation are known. For example, the following are widely used. This is called an addition chain method.
[Algorithm 1]
  input Y, X = (X [n-1] X [n-2] ... X [1] X [0]), N
  output Y ^ X mod N
  A = 1 Step 1
  B = Y Step 2
  For j = n-1 to 0 step 1 {Step 3
    A = A ^ 2 mod N Step 4
    If X [j] = 1 then A = A * B mod N Step 5
  }
  output A Step 6
In this algorithm, n corresponds to the bit length of X, and (X [n-1] X [n-2] ... X [1] X [0]) is the binary representation of X . This algorithm is generally executed by combining a square remainder multiplication “A ^ 2 mod N” (step 4) and a remainder multiplication “A = A * B mod N” (step 5), and X [n -1], X [n-2], ..., X [1], X [0] where n is the number of 1s in H (X), n square multiplications “A ^ 2 mod N” Thus, H (X) operations are repeatedly performed on the remainder multiplication “A = A * B mod N”.
  It is confirmed by numerical examples that the correct result can be obtained by the above algorithm 1.
In terms of algorithm confirmation, it is sufficient to specify the index X, so Y and N are used as symbols.
S = Y ^ 45 mod N
Is calculated according to algorithm 1. Here, the index 45 is a binary number.
45 = 101101 (binary)
Can be written. Therefore, when the exponent is expressed using the symbol of algorithm 1,
X [5] = 1, X [4] = 0, X [3] = 1, X [2] = 1, X [1] = 0, X [0] = 1
It becomes. The bit number n is 6. The initial value of S is 1.
(1) When j = 5
   Since the initial value of S is 1, even if the remainder is squared and divided by N, it is 1 (step 4).
   Since X [5] = 1, step 5 is executed,
  S = 1 * Y mod N
    = Y mod N
Is obtained.
(2) When j = 4
   Since the value of S at this time is initially S = Y mod N, taking the remainder obtained by squaring this and dividing by N yields S = Y ^ 2 mod N.
  Since X [4] = 0, step 5 is not executed and S = Y ^ 2 mod N remains.
(3) When j = 3
  Since the value of S at this time is initially S = Y ^ 2 mod N, taking the remainder obtained by squaring this and dividing by N yields S = Y ^ 4 mod N.
  Since X [3] = 1, step 5 is executed,
S = Y ^ 4 * Y mod N = Y ^ 5 mod N
It becomes.
(4) When j = 2
  Since the value of S at this time is initially S = Y ^ 5 mod N, taking the remainder obtained by squaring this and dividing by N yields S = Y ^ 10 mod N.
  Since X [2] = 1, step 5 is executed,
S = Y ^ 10 * Y mod N = Y ^ 11 mod N
It becomes.
(5) When j = 1
  Since the value of S at this time is initially S = Y ^ 11 mod N, taking the remainder obtained by squaring this and dividing by N yields S = Y ^ 22 mod N.
  Since X [1] = 0, step 5 is not executed and S = Y ^ 22 mod N remains.
(6) When j = 0
  Since the value of S at this time is initially S = Y ^ 22 mod N, taking the remainder obtained by squaring this and dividing by N yields S = Y ^ 44 mod N.
  Since X [0] = 1, step 5 is executed,
S = Y ^ 44 * Y mod N = Y ^ 45 mod N
Thus, a desired result is obtained.
  As described above, in Algorithm 1, the power-residue operation is decomposed into the remainder multiplication (including the square) and executed, so an arithmetic device having an arithmetic function “A * B mod N” may be used.
  However, A, B, and N are all very large values. For example, if the data length is currently 1024 bits, the intermediate result A * B has a problem of a large number of 2048 bits. Furthermore, since the final result is a value obtained by dividing A * B by N, division that handles a large value of 2048 bits / 1024 bits must be executed. Here, multiplication can be performed in parallel by a microprocessor or the like by dividing the multiplier and the multiplicand, but division is difficult to parallelize, and this is a factor that hinders speeding up.
  In order to solve such a division problem in the remainder multiplication “A * B mod N”, an algorithm 2 that executes “A * B * R ^ (− 1) mod N” without performing division by N is known. ing. Here, R is 2 ^ n (n is a bit length of N, for example), and is a positive integer satisfying R> N. In the following, it is assumed that N is an odd number. This assumption is a reasonable assumption in RSA and elliptic curve cryptography on the prime field. In fact, in RSA, N is a product of large prime numbers, and in prime fields, a modular arithmetic operation modulo a large prime number is performed, and thus N is an odd number.
  Algorithm 2 below was proposed by mathematician Peter Montgomery. Details of the argument that leads to Algorithm 2 are omitted here, but for example, the paper PL Montgomery, “Modular Multiplication without Trial Division” written by Montgomery himself, Math. Comp., Vol. 44, 1985, pp .519-521, or a standard handbook in cryptology A. Menezes, PCvan Oorschot, SAVanstone, “Handbook of Applied Cryptography”, CRC-press, 1997, pp. 602-603.
[Algorithm 2]
  W = 0
  For j = 0 to n-1 step +1 {
    T = W + A [j] * B
    If T is odd then W = (T + N) / 2
    Else W = T / 2
  }
  If W> = N then W =W-N
  Output W
Since the value of A * B * R ^ (-1) mod N is obtained in algorithm 2, in order to execute a power-residue operation in RSA cryptography using a device that performs this operation, the following algorithm 3 It is necessary to use a modified algorithm.
[Algorithm 3]
  input Y, X = (X [n-1] X [n-2] ... X [1] X [0]), N
  output Y ^ X mod N
  A = R mod N Step 1
  B = Y * R mod N Step 2
  For j = n-1 to 0 step 1 {Step 3
    A = (A ^ 2) * R ^ (-1) mod N Step 4
    If X [j] = 1 then A = A * B * R ^ (-1) mod N Step 5
  }
  A = A * R ^ (-1) mod N Step 6
  output A Step 7
In Step 3 of Algorithm 3, the multiplier and the multiplicand are multiplied by R mod N. Hereinafter, this data format is referred to as a Montgomery format. In the above Montgomery multiplication "ABR ^ (-1) mod N", the Montgomery form is kept unchanged. In fact, if we write the Montgomery form representation of A as Mont (A) = A * R mod N,
Mont (A) * Mont (B) * R ^ (-1) mod N
= A * R * B * R * R ^ (-1) mod N
= A * B * R mod N
= Mont (A * B)
It becomes. So, for example, calculate "A * B * R ^ (-1) mod N", "(A ^ 2) * R ^ (-1) mod N", "A * R ^ (-1) mod N" If there is a computing unit that performs the above, the procedure of the algorithm 3 can be executed at high speed using the CPU and these computing units. "(A ^ 2) * R ^ (-1) mod N" and "A * R ^ (-1) mod N" are respectively B in "A * B * R ^ (-1) mod N" Since = A and B = 1, it is understood that a power-residue operation can be realized by configuring an arithmetic unit “A * B * R ^ (− 1) mod N”.
  Next, in the algorithm for calculating “A * B * R ^ (-1) mod N” shown in Step 2, we will briefly summarize what has been done so far about how to speed it up. .
  For the sake of explanation, algorithm 2 is shown again.
[Algorithm 2 (repost)]
  W = 0 Step 1
  For j = 0 to n-1 step +1 {Step 2
    T = W + A [j] * B Step 3
    If T is odd then W = (T + N) / 2 Step 4
    Else W = T / 2 Step 5
  }
  If W> = N then W =W-N              Step 6
  Output W Step 7
  Known typical speed-up methods can be classified as follows.
  First speed-up method: Reduce the number of loop iterations including steps 3, 4, and 5
  Second speed-up method: parallel processing of steps 3, 4 and 5
  Third speed-up method: Replace the process in step 6 with a simpler one
As a typical first speed-up method, there is a method in which the addition processing is executed collectively for a plurality of bits. For example, the following algorithm 4 shows a method for collectively executing k-bit processing.
[Algorithm 4]
For j = 0 to2 ^ k-1 step +1 {Step 1
TBL (j, B) = j * B Step 2
TBL (j, N) = j * N Step 3
}
W = 0 Step 4
For j = 0 to n / k-1 step +1 {Step 5
   T = W + TBL (A [j, k], B) Step 6
   U = T mod 2 ^ k Step 7
   M [j, k] = -U * N [0, k] ^ (-1) mod 2 ^ k Step 8
   W = T + TBL (M [j, k], N) Step 9
   W = W / 2 ^ k Step 10
}
If W> = N then W =W-N                Step 11
Output W Step 12
Here, for simplicity, k is assumed to be a divisor of n. For example, when n = 1024, k = 2, 4, 8, etc. may be selected. A [j, k] indicates the value of the j-th k-bit block from the bottom of A. Similarly, M [j, k] indicates the value of the j-th k-bit block from the bottom of M, and N [0, k] indicates the value of the lowest-order k-bit block of N. In addition, the calculation in step 8 is performed so that the value becomes positive. In the algorithm 4, if k = 1, N is an odd number, so M matches U and the algorithm 2 is obtained. A method for implementing the remainder multiplication based on this method is disclosed in Japanese Patent Application Laid-Open No. 7-20778, Masahiko Takenaka et al.
  Since the algorithm 4 is slightly complicated, its mechanism will be briefly described.
  Before explaining the contents of the algorithm 4, it is necessary to understand the principle of the Montgomery method. The Montgomery method is in principle an indefinite equation (Diophantine equation) with M and W as unknowns:
(Formula 1) A * B + M * N = W * R
Is equivalent to solving First, note that since N is an odd number and is relatively prime with R = 2 ^ n, (Equation 1) has an integer solution. The assumption that N is odd is essential because (Equation 1) does not necessarily have an integer solution when N is even.
  In order to understand the meaning of (Formula 1), FIG.
  Since R = 2 ^ n, the lower-order n bits on the right side of (Equation 1) are all 0, so obtaining M that satisfies (Equation 1) means that the lower-order n bits of AB and MN are 0. It is nothing but the operation of selecting M. This upper half bit string is the value of A * B * R ^ (-1) mod N to be obtained. However, the sum of the number of 2n bits and the number of 2n bits is 2n + 1 bits, and the most significant bit may be 1 (hereinafter, this bit is referred to as OV bit). This is resolved in step 11 of algorithm 4.
  Taking the remainder of dividing both sides of (Equation 1) by R = 2 ^ n,
(Formula 2) (A * B mod 2 ^ n) + (M * N mod 2 ^ n) = 0
Get. (Equation 2)
(Formula 3) M = -A * B * N ^ (-1) mod 2 ^ n
Get. Since the modulus is power of 2, this M can be obtained for each bit block in turn. This is the meaning of Algorithm 4. In the algorithm 4, since the number of loops is 1 / k, roughly speaking, the loop portion is about k times faster. However, in this case, there is a problem that the size of the multiplication table increases when k is increased. As the size increases, the RAM area is under pressure. In general, in a device such as an IC card, since the RAM area is small, k cannot often be increased. This is the first problem.
The second speed-up method can be used in combination with the first speed-up method. In Algorithm 4, it can be seen that the value of M is determined when the lower k bits of T are determined (step 8), and that the processing of step 9 can be executed immediately after the determination. Therefore, if two n-bit adders are mounted and a circuit that executes step 6 and step 9 in parallel is configured, the speed is almost doubled. However, this method requires twice as many adders. This not only means that the amount of computing units is doubled, but also means that the power consumption during execution is also doubled. This is the second problem.
  The third speed-up method is independent of the first and second speed-up methods.
  As is well known, the comparison process as in step 11 of Algorithm 4 is accomplished by actually performing a subtraction and examining a negative flag. Since this is a subtraction process between large numbers such as 1024 bits, the processing time may not be negligible. On the other hand, on a computer, comparison with R = 2 ^ n is easy.
Therefore, the speed can be increased by using the algorithm 5 in which the last comparison / subtraction processing unit (step 11) is changed as follows. The speeding up by this change has already been described in Japanese Patent Laid-Open No. 10-21057, Kunihiko Nakata “Data Processing Device and Microcomputer”, Kunihiko Nakada: DATA PROCESSOR AND MICROPROCESSOR, United States Patent, US005961578A.
[Algorithm 5]
For j = 0 to2 ^ k-1 step +1 {Step 1
TBL (j, B) = j * B Step 2
TBL (j, N) = j * N Step 3
}
W = 0 Step 4
For j = 0 to n / k-1 step +1 {Step 5
   T = W + TBL (A [j, k], B) Step 6
   U = T mod 2 ^ k Step 7
   M [j, k] = -U * N [0, k] ^ (-1) mod 2 ^ k Step 8
   W = T + TBL (M [j, k], N) Step 9
   W = W / 2 ^ k Step 10
}
If W> = R then W =W-N                Step 11
Output W Step 12
Here, the comparison processing in step 11 can be realized only by determining whether or not the OV bit in FIG. This is much lighter and faster than the subtraction process. However, the value obtained by the algorithm 5 may be A * B * R ^ (-1) mod N + N instead of A * B * R ^ (-1) mod N itself. However, since the bit length remains n bits, it is only necessary to finally correct the value in the modular exponentiation.
  The present invention is not related to this speed-up method and relates to the first and second speed-up methods.
  The above problems 1 and 2 also occur in a characteristic 2 Galois field of characteristic 2 that appears in an elliptic curve cryptosystem.
  Briefly explain the concept of Galois field. The Galois field itself is purely a mathematical concept, but it can be translated into a specific operation by constructing an appropriate homomorphism. The simplest method for realizing a Galois field on a computer is to use a polynomial arithmetic operation.
  First, consider the whole polynomial whose coefficient is 0 or 1, and let this set be POLY. Select an n-th irreducible polynomial of degree F (X) as an element of POLY, and sum the sum of the two POLY elements A (X) and B (X) (Synonymous with difference) is defined as the sum of coefficients in terms of an exclusive OR, and the product is A (X) * B (X) mod F Defined by (X). As is well known in algebra, a POLY element that is not a multiple of F (X) has an inverse to the product operation. In POLY, A (X) and B (X) being equivalent are defined as the difference between these A (X) -B (X) being a double element of F (X). , POL (2 ^ n) is the one in which POLY is divided into equivalence classes by this equivalence relation. This is a characteristic 2 Galois field. It is well known that the algebraic structure of GF (2 ^ n) does not depend on the choice of the nth degree irreducible polynomial F (X). For implementation, we often choose polynomials consisting of 3 terms and 5 terms. This polynomial F (X) is sometimes called a reduction polynomial.
  The Galois field product operation is realized by performing an addition process appearing in a normal product operation in the sense of exclusive OR. If the carry is not propagated in the adder, it is equivalent to performing bitwise exclusive OR for each bit, and a Galois field product operation is realized.
In the Montgomery method, essentially the same operation is performed. The condition that `` modulus N is odd '', which was necessary in the usual Montgomery method, is replaced by the condition that the constant term of F (X) is 1, which means that F (X) is irreducible Therefore, it is automatically followed and there is no problem in applying the Montgomery method. R = 2 ^ n in the usual Montgomery method is replaced with R (X) = X ^ n. In addition, the process of determining M, which was important in the Montgomery method, can also be realized by not performing carry propagation. Therefore, the Montgomery process in the Galois field can be realized as follows.
[Algorithm 6]
  W (X) = 0 Step 1
  For j = 0 to n-1 step +1 {Step 2
    T (X) = W (X) + A [j] * B (X) Step 3
    If T (X) mod X is 1 then W (X) = (T (X) + F (X)) / X Step 4
    Else W = T / X Step 5
  }
Here, A [j] is a coefficient of the j-th order term of A (X). The sum is used to mean exclusive OR for each coefficient. In Algorithm 6, the subtraction processing that is present in the normal Montgomery method is not necessary. In the Galois field, there is no magnitude relationship except for the order, and the order of A (X) and B (X) is less than the nth order. If this is the case (in GF (2 ^ n), this always holds), W (X) constructed in the above algorithm 6 is less than the n-th order, and thus becomes a remainder with respect to F (X). . Therefore, the third problem that occurs when performing the Montgomery method in ordinary modular multiplication does not exist in the Galois field.
  It is confirmed by numerical examples that the correct answer can be obtained by this algorithm 6. For simplicity, let F (X) = X ^ 4 + X + 1 in GF (2 ^ 4). For A (X) = X ^ 3 + X ^ 2 + 1, B (X) = X ^ 3 + X + 1, the product of A and B in GF (2 ^ 4), that is, A (X) * B (X) mod F (X) is calculated.
  In this case, paying attention to A [0] = 1, A [1] = 0, A [2] = 1, A [3] = 1, the processes of algorithm 6 are executed in order.
(1) When j = 0
  Since W (X) = 0, A [0] = 1, in step 3,
W (X) = 0 + 1 * (X ^ 3 + X + 1)
= X ^ 3 + X + 1
Since this constant term is 1, execute step 4 and
W (X) = (X ^ 3 + X + 1 + X ^ 4 + X + 1) / X
= (X ^ 4 + X ^ 3 + 2 * X + 2) / X
= (X ^ 4 + X ^ 3) / X
= X ^ 3 + X ^ 2
It becomes. Note that double is 0.
(2) When j = 1
  Since W (X) = X ^ 3 + X ^ 2, A [1] = 0, in step 3,
W (X) = X ^ 3 + X ^ 2 + 0 * (X ^ 3 + X + 1)
= X ^ 3 + X ^ 2
It becomes. Since this constant term is 0, execute step 5.
W (X) = (X ^ 3 + X ^ 2) / X
= X ^ 2 + X
It becomes.
(3) When j = 2
  Since W (X) = X ^ 2 + X, A [2] = 1, in step 3,
W (X) = X ^ 2 + X + 1 * (X ^ 3 + X + 1)
= X ^ 3 + X ^ 2 + 2 * X + 1
= X ^ 3 + X ^ 2 + 1
It becomes. Since this constant term is 1, execute step 4.
W (X) = (X ^ 3 + X ^ 2 + 1 + X ^ 4 + X + 1) / X
= (X ^ 4 + X ^ 3 + X ^ 2 + X + 2) / X
= (X ^ 4 + X ^ 3 + X ^ 2 + X) / X
= X ^ 3 + X ^ 2 + X + 1
It becomes.
(4) When j = 3
  Since W (X) = X ^ 3 + X ^ 2 + X + 1, A [3] = 1, in step 3,
W (X) = X ^ 3 + X ^ 2 + X + 1 + 1 * (X ^ 3 + X + 1)
= 2 * X ^ 3 + X ^ 2 + 2 * X + 2
= X ^ 2
It becomes. Since the constant term is 0, execute step 5;
W (X) = X ^ 2 / X
= X
It becomes. W (X) obtained by the above calculation should be A (X) * B (X) * R (X) ^ (-1) mod F (X), so R (X) ^ (-1) mof Multiply by R (X) = X ^ 4 to remove F (X)
X * X ^ 4 mod (X ^ 4 + X + 1)
= X * (X + 1) = X ^ 2 + X
It becomes.
  In order to confirm whether this result is correct, A (X) * B (X) mod F (X) is calculated by a normal method.
A (X) * B (X)
= (X ^ 3 + X ^ 2 + 1) * (X ^ 3 + X + 1)
= X ^ 6 + X ^ 5 + X ^ 4 + 3 * X ^ 3 + X ^ 2 + X + 1
= X ^ 6 + X ^ 5 + X ^ 4 + X ^ 3 + X ^ 2 + X + 1
Because
A (X) * B (X) mod F (X)
= X ^ 6 + X ^ 5 + X ^ 4 + X ^ 3 + X ^ 2 + X + 1 mod (X ^ 4 + X + 1)
= (X ^ 2 + X + 1) * (X ^ 4 + X + 1) + X ^ 2 + X mod (X ^ 4 + X + 1)
= X ^ 2 + X
Thus, the same polynomial as that obtained by multiplying the value calculated by the algorithm 6 by R (X) is obtained.
  In the calculation in the above Galois field, an operation of replacing 2 with 0 is performed because the sum calculation is executed by exclusive OR.
  Modifying this algorithm to process every k bits can be realized in the same manner as in the case of ordinary modular multiplication. The algorithm of Montgomery method in GF (2 ^ n) is shown.
[Algorithm 7]
For j = 0 to2 ^ k-1 step +1 {Step 1
   TBL (H [j] (X), B (X)) = H [j] (X) * B (X) Step 2
   TBL (H [j] (X), F (X)) = H [j] (X) * F (X) Step 3
}
W (X) = 0 Step 4
For j = 0 to n / k-1 step +1 {Step 5
   T (X) = W (X) + TBL (A [j, k] (X), B (X)) Step 6
   U (X) = T (X) mod X ^ k Step 7
   M [j, k] (X) = U (X) * F [0, k] (X) ^ (-1) mod X ^ k Step 8
   W (X) = T (X) + TBL (M [j, k] (X), F (X)) Step 9
   W (X) = W (X) / X ^ k Step 10
}
  Here, the polynomial H [j] (X) in algorithm 7 is obtained when the binary expansion of j is j = (j [k-1] j [k-2] ... j [0]) , H [j] (X) = j [k-1] * X ^ (k-1) + j [k-2] * X ^ (k-2) + ... + j [0] Is obtained. A [j, k] (X) is a polynomial corresponding to the j-th k-bit block when the polynomial A (X) is expressed as a bit string, and F [0, k] (X), M [j , k] (X) is equivalent to this. Further, the sum of steps 6 and 9 means exclusive OR for each term. Numerical examples are omitted.
[0003]
[Problems to be solved by the invention]
The present invention relates to a microcomputer for performing modular multiplication and modular exponentiation for large numbers and a method for executing the same, and a Montgomery method (PL Montgomery, "Modular Multiplication without Trial Division"). ”, Math. Comp., Vol. 44, 1985, pp. 519-521), when implementing this on the microcomputer, the two problems described in the above [Prior Art],
(First problem) The multiplication table necessary for processing multiple bits at the same time is enlarged.
(Second problem) When the speed of A * B and M * N is executed simultaneously to achieve twice the speed, the amount of calculator and power consumption will double.
And to solve the same problem for the product operation of Galois field GF (2 ^ n).
The above and other objects and novel features of the present invention will be apparent from the description of this specification and the accompanying drawings.
[0004]
[Means for Solving the Problems]
  The outline of the invention disclosed in the present application will be described as follows.
  Consider the following Montgomery algorithm 4 (reprinted).
[Algorithm 4 (repost)]
For j = 0 to2 ^ k-1 step +1 {Step 1
TBL (j, B) = j * B Step 2
TBL (j, N) = j * N Step 3
}
W = 0 Step 4
For j = 0 to n / k-1 step +1 {Step 5
   T = W + TBL (A [j, k], B) Step 6
   U = T mod 2 ^ k Step 7
   M [j, k] = -U * N [0, k] ^ (-1) mod 2 ^ k Step 8
   W = T + TBL (M [j, k], N) Step 9
   W = W / 2 ^ k Step 10
}
If W> = N then W =W-N                  Step 11
Output W Step 12
  As described above in [Prior Art], the processing steps 6 and 9 in the algorithm 4 are a large number of addition processes, and most of the hardware may be considered as this adder.
  Since the processing in step 6 and step 9 is processing for the k-bit block of the processing of A * B and the processing of M * N, this is combined and the addition processing for the k-bit block of A * B + M * N is performed. I understand that I can go. The addition process corresponding to each loop has the form of “number of k bits × B” and “number of k bits × N”, so the necessary new table has the following form: I understand that
TBL (j, t) = j * B + t * N (j, t = 0, 1, 2, ...,2 ^ k-1)
The selection of this table requires two parameters j and t. These parameters can be selected so that when added to W, the lower k bits of the sum are zero.
That is, in the process of the jth step,
TBL (A [j, k], M [j, k]) = A [j, k], * B + M [j, k] * N
You can choose. M [j, k] is a value determined depending on A [j, k]. The following algorithm 8 rearranges the table in advance so that the calculation of M is not necessary.
[Algorithm 8]
For j = 0 to 2 ^ k-1 step 1 {Step 1
   For s = 0 to 2 ^ k-1 step 1 {Step 2
      U = (s + j * B [0, k]) mod 2 ^ k Step 3
      M = −U * N [0, k] ^ (-1) mod 2 ^ k Step 4
      TBL [j, s] = j * B + M * N Step 5
   }
}
W = 0 Step 6
For i = 0 to n / k-1 step 1 {Step 7
   W = W + TBL (A [i, k], W [0, k]) Step 8
   W = W / 2 ^ k Step 9
}
If W> = N then W =W-N                Step 10
Output W Step 11
The above algorithm 8 represents the essence of the present invention. The addition process appearing in two places in the algorithm 4, that is, the processes of steps 6 and 9 in the algorithm 4 are one addition process in the algorithm 8. If the processes of steps 6 and 9 in algorithm 4 are calculated in order, the calculation speed is approximately doubled by adopting algorithm 7. In addition, when the processes of steps 6 and 9 in the algorithm 4 are executed in parallel as many coprocessors perform, two adders are necessary. However, when the algorithm 7 is adopted, the number of adders Can be halved and, as a direct consequence of this, power consumption is reduced.
  In this algorithm 7, if carry propagation is not performed, the product operation of GF (2 ^ n) is realized as described in [Prior Art]. Therefore, the effect of the present invention that occurs in the above-described normal remainder multiplication also appears for the product operation circuit of GF (2 ^ n).
[0005]
DETAILED DESCRIPTION OF THE INVENTION
  The algorithm 8 is listed again below. A method for configuring a circuit according to this algorithm will be described below.
[Algorithm 8 (repost)]
For j = 0 to 2 ^ k-1 step 1 {Step 1
   For s = 0 to 2 ^ k-1 step 1 {Step 2
      U = (s + j * B [0, k]) mod 2 ^ k Step 3
      M = −U * N [0, k] ^ (-1) mod 2 ^ k Step 4
      TBL [j, s] = j * B + M * N Step 5
   }
}
W = 0 Step 6
For i = 0 to n / k-1 step 1 {Step 7
   W = W + TBL (A [i, k], W [0, k]) Step 8
   W = W / 2 ^ k Step 9
}
If W> = N then W =W-N                Step 10
Output W Step 11
The processing of the algorithm 7 is roughly divided into three parts. That is, the “table generation unit” from step 1 to step 5, the “addition processing unit” from step 6 to step 9, and the “value correction unit” from steps 10 and 11.
  First, the highly general “addition processing unit” will be described, then the “value correction unit”, and finally the “table generation unit” will be described, and a circuit configuration integrating them will be described.
  Various methods of configuring the adder are known, but a typical one will be described here.
  The adder is configured by arranging adders for each bit. Now, a circuit that adds two m-bit numbers S and T is constructed. In the following description, each binary representation S = (S [m-1] S [m-2] ... S [1] S [0]), T = (T [m-1] T [m -2] ... T [1] T [0]) and their sum Z = (Z [m] Z [m-1] ... Z [1] Z [0]). When considering the addition processing in units of bits, the values necessary for addition of the j-th bit are S [j], T [j] and the carry C [j-1] generated in the previous calculation. is there. However, it is determined that C [-1] = 0 and Z [m] = C [m-1].
  FIG. 4 is an example of a full adder that performs 1-bit addition. The j-th 1-bit full adder receives S [j], T [j] and the carry signal C [j−1] of the previous stage, and inputs the value Z [j] of the jth bit of Z and the carry signal C It can be understood as a circuit that outputs [j].
  The circuit of FIG.
(Formula 4) Z [j] = (S [j] AND T [j] AND C [j-1]) OR (S [j] AND NOT (T [j]) AND NOT (C [j-1] )) OR (NOT (S [j]) AND T [j] AND NOT (C [j-1])) OR (NOT (S [j]) AND NOT (T [j]) AND C [j-1 ]),
(Formula 5) C [j] = NOT ((S [j] AND NOT (T [j]) AND NOT (C [j-1])) OR (NOT (S [j]) AND T [j] AND NOT (C [j-1])) OR (NOT (S [j]) AND NOT (T [j]) AND C [j-1]) OR (NOT (S [j]) AND NOT (T [j ]) AND NOT (C [j-1]))
Is made into a circuit. In FIG. 4, 401, 402, 403, 404, and 405 are AND circuits, 406 and 407 are OR circuits, 409, 410, 411, 412, 413, 414, 415, 416, and 417 are inverters (NOT circuits). It is. These correspond to AND, OR, and NOT in (Expression 4) and (Expression 5), respectively. Each of AND, OR, and NOT is a logic gate composed of several transistors. AND is a logic gate that outputs 1 only when all of the inputs are 1, and outputs 0 otherwise, OR is 1 if any one of the inputs is 1, and the output is 1 and all 0 This is a logic gate whose output is 0 only when. A NOT (inverter) is a logic gate that outputs 1 for input 0 and outputs 0 for input 1.
  If 1-bit full adders are arranged, a multi-bit full adder can be made. FIG. 5 shows a 4-bit full adder. 501, 502, 503, and 504 are 1-bit full adders shown in FIG. 4, and are calculated according to (Equation 4) and (Equation 5). The carry is set to 0 for the least significant bit. The last carry is Z [4]. Although the case of 4 bits is shown here, it is clear that any number of bits can be added by increasing the number of 1-bit full adders.
  The configuration method of the full adder shown here is the simplest one called `` carry carry adder '' (carry propagation time), the ratio of carry propagation time is the largest, the most addition time It is such a circuit. There are many hardware algorithms for performing addition at higher speed, but the configuration method of the adder is irrelevant to the essence of the present invention, and thus further explanation is omitted.
  Next, processing of the value correction unit will be described. In the value correction unit, subtraction is used. The subtracter has a structure similar to that of an adder and can be configured using a carry propagation adder. For this reason, a normal computer has an addition circuit, but does not have a subtraction circuit.
  FIG. 6 is a configuration example of a 4-bit subtraction circuit (Z = ST) using a full adder. 601, 602, 603, and 604 are 1-bit full adders. At the time of input, the first carry (borrow) is 1, and T is inverted by inverters 605, 606, 607, and 608. Is different. In subtraction, when the last carry (borrow) is 1, it means that the result is negative. This phenomenon is called under flow.
  A configuration example of the value correction unit will be described using the concept of the subtractor. FIG. 7 is a block diagram of the value correction circuit. The n + 1 bit register 702 contains the value W, and the n bit register 703 contains the modulus N value, both of which are calculated by the n + 1 bit subtractor 704. . This value WN and the borrow generated as a result of this calculation are input to a selection signal (selection signal) and the value of W to the selector 705. If the selection signal is 0, the selector 705 selects WN. If the selection signal is 1, W is selected and output.
  Here, W and N have been described as dedicated registers, but it goes without saying that they can also be placed on a RAM used for CPU processing.
  Next, the circuit of the table generation unit will be described. For simplicity, only k = 2 is shown.
  The values generated by the table generation unit when k = 2 are listed as shown in the table of FIG. In this configuration example, the modulus N that is not dependent on the input values A and B, N, 2 * N, and 3 * N are calculated in advance and stored in the registers 909, 910, and 911. Use this. Further, since the input value B is the input value itself, it is not necessary to calculate it. B is held in the register 906.
  Eleven values other than 0 and the above four values B, N, 2 * N, 3 * N must be calculated each time. Here, a configuration is shown in which only the adder is used to calculate the 11 values. The size of the register must be a maximum of (k + 1 =) 3 bits. Each register is connected to a data bus 921, and the data bus 921 is used as a signal line for supplying data to the addition processing unit. Reference numeral 904 denotes an adder that adds the number of n + 2 bits, and sends the sum value of n + 3 bits to the selector 903.
  Upon receiving the calculation start signal determined from the clock signal, the control device 905 initializes the internal counter to 0001 in binary notation, and inputs the value of B to the input of the adder 904 via the selector 901 (both) The adder 904 is operated as follows. A control signal is sent from the adder 904 to the control device 905 immediately before the calculation by the adder 904 starts. The control device 905 receives the control signal, increments its internal counter, obtains a value of 0010 in binary notation, and sets the lower 2 bits 00 and the upper 2 bits to j * B + t * N As j and t, the selector 903 determines the position of the register 907 to which the answer of the adder 904 is written, and writes the addition result. Next, a calculation start signal is transmitted again to the control device 905, and the control device 905 sends a control signal to the selector 901, reads B and 2 * B, inputs them to the adder 904, and performs the same operation as before. To write the value 3 * B to the register 908. By the operation so far, the values for synthesizing the table, B, 2 * B, 3 * B, N, 2 * N, 3 * N are all prepared. Similarly, the register to be read and the register to be written are determined from the counter value of the control device, and the same operation is repeated. However, when the lower 2 bits of the counter are 00, the addition operation is skipped. After all the values are collected, the registers 906, 907, 908, 909, 910, 911, 912, 913, 914, 915, 916, 917, 918, 919, 920 are used as read-only registers. The
  Next, FIG. 10 shows a block diagram of a circuit that combines these to calculate A * B * R ^ (− 1) mod N and writes the result to the A register. However, the value adjustment unit is omitted in order to avoid complexity. In general, the subtraction processing required by the value adjustment unit is realized by changing the input value of the adder 1015.
  FIG. 10 includes all the important components of the present invention. Hereinafter, the same variable names as those used in the algorithm 8 are used.
  In FIG. 10, first, the value of A stored in the A register 1003 is read in order from the lower order. The configuration of the A register is shown in FIG. At this time, the control device 1007 receives the number i of the 2-bit block to be read from the 9-bit register 1006, reads the value of the corresponding 2-bit block, and transmits it to the register 1008. The register 1009 stores the lower 2 bits of W. The values of 1008 and 1009 are transmitted to the value selection and signal control device 1011. 1011 reads the corresponding data from the value table of 1002 via the data bus 1001, and adds the values of 1027 bits and 1026 bits. Send to adder 1015 to perform. However, dedicated registers 1013 and 1014 are connected to the adder 1015, and values read from the table are temporarily held in a 1027-bit register 1014. Reference numeral 1013 denotes a 1026-bit register in which W that appears in the algorithm 7 is stored. It is cleared to 0 at the start of operation. Data in the form of j * B + t * N included in the value table 1002 and the sum of W are added by an adder 1015. In this addition result, since the lower 2 bits are 00 in binary notation, they are cut off by the 2-bit right shifter 1016 and input to the control device 1017. On the other hand, the adder 1015 sends the value 1 to the adder 1018 simultaneously with the start of the calculation. The adder sums the value of the 9-bit register 1019 and the calculation start signal “1”, and the result is the 9-bit register 1019. Send to. 1019 stores 0 at the beginning. This sum is sent to the control device 1017. If the sum does not reach 512, the control device 1017 writes the output result of 1016 to the register 1013 as it is, and the value of 1013 is the lower order of W at 1011. Only 2 bits are extracted and written to register 1009. At this time, a signal is sent from 1017 to 1007 via 1011, the value of i is incremented by the adder 1005, the next 2-bit block of the A register is read out, and it has been extended. The table value is added through the same process. If the value of 1019 reaches 512, a signal is sent to the selective transmission circuit 1012, and the value of W in 1013 is sent to the A register. The value of the A register at this point is A * B * R ^ (-1) mod N or A * B * R ^ (-1) mod N + N. In the latter case, it is necessary to subtract N from A. The subtraction processing unit is omitted. This is one of the embodiments of claims 1 and 7 of the present invention.
  The above-described embodiments can be variously modified without departing from the gist of the present invention. For example, the following changes can be considered.
(1) Here, the adder 1015 is configured to add 1027 bits at the same time, but it can also be realized by dividing this into a plurality of blocks and adding these in order for each block. it can. In this case, the amount of hardware is reduced, but the speed is reduced.
(2) Without using the 2-bit left shifter 1016, it is possible to directly connect only the upper bits to the lower 10 bits to the register 1013.
(3) Change the number of bits of values A, B, and N. For example, it can be changed to 2048 bits, 512 bits, 768 bits, or the like.
(4) The value of k can be changed to a value other than 2, for example, 1, 3, 4, etc. However, when n is not a multiple of k, a logic circuit for correction is required.
(5) In the table, when 0 is eliminated and instead the value added to W is 0, a logic circuit is added so that the value of W is not input to the adder but is directly input to the shifter.
  The above-described changes can be made independently of “addition table synthesis” which is essentially the gist of the present invention.
  Next, a description will be given of items that require some attention unlike the above-described changes.
  Again, Algorithm 8 is shown.
[Algorithm 8 (repost)]
For j = 0 to 2 ^ k-1 step 1 {Step 1
   For s = 0 to 2 ^ k-1 step 1 {Step 2
      U = (s + j * B [0, k]) mod 2 ^ k Step 3
      M = −U * N [0, k] ^ (-1) mod 2 ^ k Step 4
      TBL [j, s] = j * B + M * N Step 5
   }
}
W = 0 Step 6
For i = 0 to n / k-1 step 1 {Step 7
   W = W + TBL (A [i, k], W [0, k]) Step 8
   W = W / 2 ^ k Step 9
}
If W> = N then W =W-N                Step 10
Output W Step 11
  Here, the maximum value of the table TBL [j, s] is (2 ^ k-1) * B + (2 ^ k-1) * N. Since this value is n + k + 1 bits at the maximum, the bit length of TBL [j, s] must be increased according to the value of k. Since the number of data is 4 ^ k, the increase in data accompanying k reaches k * 4 ^ k bits. In general, k is not a large value, so it does not become a big problem in realizing the present invention, but it is not a desirable phenomenon. There are ways to avoid this problem.
  Focus on steps 8 and 9. The value of TBL (A [i, k], W [0, k]) in step 8 is selected so that the lower k bits of the sum of step 8 are always 0. In step 9, the k bits are cut off by a right shift. This indicates that the calculation of the lower k bits is completely unnecessary. Therefore, it can be understood that the table value itself may be prepared by cutting out the lower k bits (shifted right by k bits).
  Specifically, instead of using the value “j * B + t * N”, the value “(j * B + t * N) >> k” obtained by shifting this by k bits is defined as a new table, and the algorithm The same calculation as in step 8 is performed. However, the value of W is shifted right by k bits before the addition process. That is, the calculation is performed according to the following algorithm.
[Algorithm 9]
For j = 0 to 2 ^ k-1 step 1 {Step 1
   For s = 0 to 2 ^ k-1 step 1 {Step 2
      U = (s + j * B [0, k]) mod 2 ^ k Step 3
      M = −U * N [0, k] ^ (-1) mod 2 ^ k Step 4
      NTBL [j, s] = (j * B + M * N) >> k Step 5
   }
}
W = 0 Step 6
For i = 0 to n / k-1 step 1 {Step 7
   W = W / 2 ^ k Step 8
   W = W + NTBL (A [i, k], W [0, k]) Step 9
}
If W> = N then W =W-N                    Step 10
Output W Step 11
Here, step 8 does not need to use a shifter in mounting. Since the right shift is always performed only by k bits, it is wired so as to directly correspond to the k bit shift. The sum of the lower k bits is not calculated. However, if at least one of the lower k bits of W is 1, that is, if the logical OR of each of the lower k bits is 1, this is carried to the adder as carry C [-1]. input. Actually, when the logical sum is 0, it indicates that all k bits are 0, and the corresponding lower k bits of M must also be 0, but the logical sum is 1. This is because, if M is selected such that the lower k bits of the sum with M are all 0, a carry occurs.
  FIG. 15 shows an embodiment of an addition processing circuit taking these into consideration. In this embodiment, k = 2. In the circuit shown in FIG. 15, an NTBL register 1504 for storing an NTBL value and a W register 1503 for storing a W value are connected to an adder 1502. The lower 2 bits of the W register are not connected to the adder 1502, but instead are connected to the value selection and signal control unit, and these 2 bits are used to select the value of the NTBL. Further, each of the two bits is connected to an OR gate 1501 that calculates a logical sum. The calculated value of the OR gate 1501 is input to the adder 1502 as the carry signal C [−1]. The carry signal C [-1] is used as an initial value of carry when performing addition. This is one of the embodiments of the present inventions 4 and 7.
  Next, an embodiment of the present invention that operates on the Galois field GF (2 ^ n) according to the following algorithm 7 (reproduced) will be described.
[Algorithm 7 (repost)]
For j = 0 to2 ^ k-1 step +1 {Step 1
   TBL (H [j] (X), B (X)) = H [j] (X) * B (X) Step 2
   TBL (H [j] (X), F (X)) = H [j] (X) * F (X) Step 3
}
W (X) = 0 Step 4
For j = 0 to n / k-1 step +1 {Step 5
   T (X) = W (X) + TBL (A [j, k] (X), B (X)) Step 6
   U (X) = T (X) mod X ^ k Step 7
   M [j, k] (X) = U (X) * F [0, k] (X) ^ (-1) mod X ^ k Step 8
   W (X) = W (X) + TBL (M [j, k] (X), F (X)) Step 9
   W (X) = W (X) / X ^ k Step 10
}
The calculation in the Galois field GF (2 ^ n) is as described in [Prior Art]. Therefore, it is realized by changing all the addition processes in the circuit in the first embodiment of the present invention described above to exclusive OR for each bit.
  Since the product operation process is composed of a shift process and an addition process, it is only necessary to replace the part of the addition process with a bitwise exclusive OR process. Of course, it goes without saying that the sum is replaced with an exclusive OR in the table configuration. However, it differs from the normal Montgomery method in which the modulus N is n bits, but an n-th order polynomial is used, so that an expression of n + 1 bits is required. In the case of a Galois field GF (2 ^ n), the last value correction processing is not necessary. Other configurations may be the same as those of a normal Montgomery circuit. This is shown in FIG. Here, it is assumed that k = 2 and the degree (degree) of the reduction polynomial F (X) is 257. Hereinafter, the same variable names as those used in the algorithm 7 are used.
  In FIG. 12, first, the value of A stored in the A register 1203 is read in order from the lower order. The configuration of the A register is the same as that shown in FIG. At this time, the control device 1207 receives the 2-bit block number i to be read from the 7-bit register 1206, reads the value of the corresponding 2-bit block, and transmits it to the register 1208. The register 1209 stores the lower 2 bits of W. The values 1208 and 1209 are transmitted to the value selection and signal control device 1211, and 1211 reads the corresponding data from the value table 1202 (table generation will be described later) via the data bus 1201, and sets the value to 258. The result is sent to an exclusive OR calculator 1215 that performs an exclusive OR of a bit value and a 256-bit value. However, dedicated registers 1213 and 1214 are connected to the exclusive OR calculator 1215, and values read from the table are temporarily held in the 258-bit register 1214. Reference numeral 1213 denotes a 258-bit register in which W (X) appearing in the algorithm 7 is stored. It is cleared to 0 at the start of operation. Exclusive OR of data (see Fig. 13) and W (X) in the form of "(first order polynomial) * B (X) + (first order polynomial) * F (X) included in value table 1202 Is calculated by the exclusive OR calculator 1215. Since the lower 2 bits are 00 in binary notation, the result is cut off by the 2-bit right shifter 1216, and the control device On the other hand, the exclusive OR calculator 1215 sends the value 1 to the adder 1218 simultaneously with the start of calculation, and the adder sends the value of the 7-bit register 1219 and the calculation start signal “1”. Sum up and send the result to 7-bit register 1219. 1219 stores 0 at the beginning. This sum is sent to the control device 1217.If the sum does not reach 128, the control device 1217 writes the output result of 1216 into the register 1213 as it is, and the value of 1213 is W (X ) Are extracted and written to the register 1209. At this time, a signal is sent from 1217 to 1207 via 1211, the value of i is incremented by the exclusive OR calculator 1205, and the next 2-bit block of the A register is read out. The exclusive OR with the table value is calculated through the same process as described above. If the value of 1219 reaches 128, a signal is sent to the selective transmission circuit 1212 and the value of W (X) in 1213 is sent to the A register. At this time, the value of the A register is A (X) * B (X) * R (X) ^ (-1) mod F (X).
  The table generation circuit is also realized by replacing the addition process with an exclusive OR process. This is shown in FIG.
   In this configuration example, the reduction polynomial F (X) that does not depend on the input values A (X) and B (X), F (X), XF (X), (X + 1) F (X) , Calculated in advance, held in registers 1409, 1410, 1411 and used. Further, since the input value B (X) is the input value itself, it is not necessary to calculate it. B (X) is held in the register 1406.
  Eleven values other than 0 and the above four values B (X), F (X), XF (X), (X + 1) F (X) must be calculated each time. Here, a configuration is shown in which only the exclusive OR calculator is used to calculate the 11 values. The register size must be up to (k =) 2 bits larger. Each register is connected to a data bus 1421. The data bus 1421 is used as a signal line for supplying data to the exclusive OR processing unit. 1404 is an adder that adds a 258-bit number, and adds a 258-bit sum value (note that no carry occurs in GF (2 ^ n), so the number of bits does not increase) to the selector 1403 send.
  The control device 1405 receives the calculation start signal determined from the clock signal, initializes the internal counter to 0001 in binary notation, and inputs the value of B (X) to the adder 1404 via the selector 1401. The exclusive OR calculator 1404 is operated as (both). A control signal is sent from the exclusive OR calculator 1404 to the control device 1405 immediately before the calculation by the exclusive OR calculator 1404 starts. The control device 1405 receives the control signal, increments its internal counter, obtains a value of 0010 in binary notation, and sets the lower 2 bits 00 and the upper 2 bits to j (X) * B ( As j (X) and t (X) in X) + t (X) * F (X), the selector 1403 determines the position of the register 1407 to which the answer of the exclusive OR calculator 1404 is written, and the exclusive Write the logical sum result. Next, a calculation start signal is transmitted again to the control device 1405, and the control device 1405 sends a control signal to the selector 1401, reads B (X) and XB (X), and inputs them to the exclusive OR calculator 1404 Then, the value (X + 1) B (X) is written to the register 1408 by performing the same operation as before. Up to this point, the values for synthesizing the table, B (X), XB (X), (X + 1) B (X), F (X), XF (X), (X + 1) F (X) is now complete. Similarly, the register to be read and the register to be written are determined from the counter value of the control device, and the same operation is repeated. However, when the lower 2 bits of the counter are 00, the addition operation is skipped. After all the values are collected, the registers 1406, 1407, 1408, 1409, 1410, 1411, 1412, 1413, 1414, 1415, 1416, 1417, 1418, 1419, 1420 are used as read-only registers. The This is one of the embodiments of claims 2 and 7 of the present invention.
  The above-described embodiments can be variously modified without departing from the gist of the present invention. For example, the following changes can be considered.
(1) Here, the exclusive OR calculator 1215 is configured to add 258 bits at the same time, but by dividing this into a plurality of blocks and adding them in order for each block. It can also be realized. In this case, the amount of hardware is reduced, but the speed is reduced.
(2) Without using the 2-bit left shifter 1216, it is possible to directly connect only the upper bits to the lower 12 bits to the register 1213.
(3) Change the number of bits of the values A (X), B (X), F (X).
(4) The value of k can be changed to a value other than 2, for example, 1, 3, 4, etc. However, when n is not a multiple of k, a logic circuit for correction is required.
(5) In the table, when 0 is eliminated and instead the value added to W (X) is 0, the value of W (X) is not input to the exclusive OR calculator, but is input directly to the shifter. A simple logic circuit is added.
  The above changes can be made independently of the “value table synthesis” which is essentially the gist of the present invention.
  Even in the Galois field, the table size can be reduced by k bits in the same manner as in the case of normal Montgomery processing. Except for the carry and the subtraction processing for the final value adjustment, the concept is exactly the same as that of the algorithm 9. The algorithm is shown below.
[Algorithm 10]
For j = 0 to2 ^ k-1 step +1 {Step 1
   NTBL (H [j] (X), B (X)) = H [j] (X) * B (X) >> k Step 2
   NTBL (H [j] (X), F (X)) = H [j] (X) * F (X) >> k Step 3
}
W (X) = 0 Step 4
For j = 0 to n / k-1 step +1 {Step 5
   T (X) = W (X) + TBL (A [j, k] (X), B (X)) Step 6
   U (X) = T (X) mod X ^ k Step 7
   M [j, k] (X) = U (X) * F [0, k] (X) ^ (-1) mod X ^ k Step 8
   W (X) = W (X) + NTBL (M [j, k] (X), F (X)) Step 9
   W (X) = W (X) / X ^ k Step 10
}
Here, regarding the determination of M [j, k] (X), the lower k bits of W (X) being processed may be used as they are, and the point that no carry occurs is different from the normal Montgomery method ( However, mathematical expressions are almost the same).
  FIG. 16 shows a Galois field calculation circuit corresponding to FIG. The difference from the circuit in FIG. 15 is that the adder is an exclusive OR calculator 1601 and that there is no OR circuit that generates a carry signal. This is one of the embodiments of claims 4 and 7 of the present invention.
  Up to this point, the embodiment of the present invention for the remainder multiplication and the embodiment of the present invention for the Galois field G (2 ^ n) are shown separately, but both can be merged.
  The data length required for RSA encryption and elliptic curve encryption is significantly different. In general, the number of bits of N in RSA encryption requires about 1024 bits to 2048 bits in order to have sufficient security. On the other hand, the data length of elliptic curve cryptography having the same strength as RSA cryptography is about 160 to 256 bits. Therefore, a configuration in which a part of the RSA circuit is used as an arithmetic unit of GF (2 ^ n) is possible.
  It can be seen that the sum operation of GF (2 ^ n) is the same as the one with carry set to 0 in normal addition processing as follows.
  For example, among the logical expressions corresponding to the circuit of FIG. 4, those expressing the j-th bit:
(Formula 4 (repost)) Z [j] = (S [j] AND T [j] AND C [j-1]) OR (S [j] AND NOT (T [j]) AND NOT (C [j -1])) OR (NOT (S [j]) AND T [j] AND NOT (C [j-1])) OR (NOT (S [j]) AND NOT (T [j]) AND C [ j-1]),
If C [j-1] = 0,
(Expression 6) Z [j] = (S [j] AND T [j] AND 0) OR (S [j] AND NOT (T [j]) AND NOT (0)) OR (NOT (S [j] ) AND T [j] AND NOT (0)) OR (NOT (S [j]) AND NOT (T [j]) AND 0) = (S [j] AND NOT (T [j])) OR (NOT (S [j]) AND T [j])
= S [j] EXOR T [j]
Get. Here, S [j] EXOR T [j] is an exclusive OR of S [j] and T [j]. That is, if all carrys are set to 0, it is understood that this is an exclusive OR for each bit.
  The bitwise exclusive OR is the polynomial representation of the element A of GF (2 ^ n): A (X) = A [n-1] * X ^ (n-1) + A [n-2] * X ^ (n-2) +… + A [1] * X + A [0] corresponds to the bit string: (A [n-1] A [n-2]… A [1] A [0]) It can be seen that this is consistent with the sum operation in GF (2 ^ n).
Therefore, it is possible to add GF (2 ^ n) (exclusive OR) by adding a circuit that sets carry to 0 in the adder. This embodiment is shown in FIG. FIG. 17 is obtained by adding a selector to the adder of FIG. The adders are connected in a chain and carry C [j] propagates to the next adder. Each selector selects 0 as the carry from the pre-adder and the value 0 according to whether the control signal is 1 or 0. For example, if the control signal is 1 and carry is selected, and if it is 0, the value 0 is selected, the former is a normal adder and the latter is a GF (2 ^ n) adder (exclusive Functions as a logical sum calculator).
  FIG. 18 shows the configuration of an adder that combines the circuits shown in FIGS. The adder with carry control function in FIG. 18 is the same as that in FIG. 17 and functions as an adder for remainder multiplication or an adder for product operation of Galois field GF (2 ^ n) depending on the switching signal. Is decided. This is one of the embodiments of claims 6 and 7 of the present invention.
  The gist of the present invention is irrelevant to the value of k, but k cannot be made as large as possible in terms of implementation. Particularly in a microcomputer for an IC card, the RAM size is about several kilobytes to several tens of kilobytes, and the value of k is greatly restricted. Also, in comparison with other methods, the inventors found that the advantage of the present invention is the highest when k = 2. Therefore, this is included in the claims and is defined as claim 7.
  Needless to say, the hardware configuration for realizing the power-residue operation or the product operation of the Galois field GF (2 ^ n) is not limited to the various embodiments described above, and can be changed as appropriate.
[0006]
【The invention's effect】
The effects obtained by the representative ones of the inventions disclosed in the present application will be briefly described as follows.
That is, the power-residue calculation “Y ^ X mod N” and elliptic curve cryptography on the Galois field GF (2 ^ n) can be realized at high speed.
In addition, in the realization of the dedicated hardware described above for the power-residue operation or the product operation on the Galois field GF (2 ^ n), the logic circuit scale can be minimized.
Furthermore, the above-mentioned dedicated hardware is mounted on the same semiconductor chip as the IC card microcomputer, and encryption / decryption (encryption / decryption) or Galois field GF using power-remainder operation "Y ^ X mod N" A microcomputer for encryption and decryption of elliptic curve cryptography on (2 ^ n) can be realized at low cost and easy to use. Needless to say, the same effect can be expected not only for IC cards but also for devices that require low power consumption, such as mobile terminals such as GSM.
[Brief description of the drawings]
[Fig. 1] Overview of IC card and terminals.
FIG. 2 is a configuration of a microcomputer.
FIG. 3 shows the principle of Montgomery method.
FIG. 4 shows an example of a 1-bit full adder.
FIG. 5 is a 4-bit full adder.
FIG. 6 is a 4-bit subtraction circuit using a full adder.
FIG. 7 is a value correction circuit.
FIG. 8 is a value table when k = 2.
FIG. 9 is a value table generation circuit when k = 2.
FIG. 10 shows an embodiment of the present invention.
FIG. 11: A register.
FIG. 12 shows an embodiment of the present invention for Galois field GF (2 ^ n).
FIG. 13 is a value table for k = 2 for a Galois field GF (2 ^ n).
FIG. 14 is a value table generation circuit when k = 2 for a Galois field GF (2 ^ n).
FIG. 15 shows an embodiment of an addition processing device in Montgomery remainder multiplication.
FIG. 16 shows an embodiment of an addition processing device in the Montgomery method for Galois field GF (2 ^ n).
FIG. 17 shows an adder with a carry control function.
FIG. 18 shows a shared circuit of an adder for remainder multiplication and an adder for product operation of Galois field GF (2 ^ n).

Claims (8)

For non-negative integers A and B and an n-bit odd number N, modular multiplication A * B * R ^ (− 1) mod N + s * N (s is a non-negative integer, R = 2 ^ n, X ^ Y represents the power of X to the power of Y) The value M of the indefinite equation A * B + M * N = W * R, where the value W is an integer M and the integer W is an unknown value, is k bits from the lower bits. In the modular multiplication unit that obtains the W by sequentially obtaining each time,
A first storage device for storing A;
A second storage device for storing the table TBL (j, s) (where 0 ≦ j <2 ^ k and 0 ≦ s <2 ^ k);
A third storage device that initially stores 0 as W;
A control device that performs a first process of taking a value in k bits from the lower side of A and storing it in a fourth storage device as a value j;
A value TBL (j, s) is selected from the table TBL stored in the second storage device using the lower-order k-bit value s of W and the value j, and the TBL (j , S) and an adder for performing a second process;
Shift means for performing a third process of shifting the addition result by the adder to the right by k bits and storing as W in the third storage device;
The TBL (j, s) includes a multiplication result j * B of the B and the value j of k-bit length and a multiplication result t * N of the M k-bit length value t (t = 0, 1, ..., 2 ^ k-1) is stored in accordance with the value of j and the value s defined by s = 2 ^ k- (j * B + t * N) mod 2 ^ k. The first to third processes are repeated n / k times in the order of the first, second, and third processes, and the A * B * R ^ (-1) mod N + s * N is set. A remainder multiplication operation device characterized by being obtained. 2. The modular multiplication unit according to claim 1, further comprising means for setting a value of a carry signal generated in the process of adding TBL (j, s) to W to 0. For non-negative integers A and B and an n-bit odd number N, modular multiplication A * B * R ^ (− 1) mod N + s * N (s is a non-negative integer, R = 2 ^ n, X ^ Y represents the power of X to the power of Y) The value M of the indefinite equation A * B + M * N = W * R, where the value W is an integer M and the integer W is an unknown value, is k bits from the lower bits. In the modular multiplication unit that obtains the W by sequentially obtaining each time,
A first storage device for storing A;
A second storage device for storing the table NTBL (j, s) = (j * B + t * N) >> k (where 0 ≦ j <2 ^ k and 0 ≦ s <2 ^ k);
A third storage device that initially stores 0 as W;
A first control device that performs a first process of taking out a value in k bits from the lower side of A and storing it in a fourth storage device as a value j;
A second process of selecting a value NTBL (j, s) from the table NTBL stored in the second storage device using the lower-order k-bit value s of W and the value j A control device of
If the value of the lower k bits of W is all 0, W is shifted to the right by k bits, and if one or more of the values of the lower k bits of W are 1, then W is shifted to the right. An adder that performs a process of adding 1 after bit shifting and performing a third process of adding NTBL (j, s) to W;
Means for performing a fourth process of storing the addition result by the adder as W in the third storage device;
The NTBL (j, s) includes a multiplication result j * B of the B and the k-bit length value j and a multiplication result t * N of the M k-bit length value t (t = 0, 1, ..., 2 ^ k-1) sum j * B + t * N is stored according to the value of j and the value s defined by s = 2 ^ k− (j * B + t * N) mod 2 ^ k, and the first to fourth processes are performed A remainder multiplication arithmetic apparatus characterized in that said A * B * R ^ (-1) mod N + s * N is obtained by repeatedly executing n / k times in the order of the first, second, third and fourth processes. . 4. The modular multiplication unit according to claim 3, further comprising means for setting a value of a carry signal generated in the process of adding the NTBL (j, s) to W to 0. 2. The modular multiplication apparatus according to claim 1, wherein k is 2. 4. The modular multiplication unit according to claim 3, wherein k is 2. Polynomials A (X) and B (X) having only 0 and 1 as coefficients and n-th irreducible polynomial F (X) having only 0 and 1 as coefficients and a constant term of 1 ) For the remainder multiplication A (X) * B (X) * R (X) ^ (-1) mod F (X) (where R (X) = X ^ n) in GF (2 ^ n) Indefinite equation A (X) * B (X) + M (X) * F (X) = W (X) * M (X) of W (X) * R (X) where M (X) and W (X) are unknowns In the modular multiplication unit for obtaining W (X) by sequentially obtaining the value of k for each k term from the low-dimensional term,
A first storage device for storing the coefficient of the A (X);
A second storage device for storing the coefficient of B (X);
A third table TBL (j (X), s (X)) (where j (X), s (X) is a k-1 or lower order polynomial having only 0 and 1 as coefficients) Storage device,
A fourth storage device that initially stores 0 as W (X);
A control device that performs a first process of storing in the fifth storage device as a fetch value j (X) in k terms from the low-dimensional side of A (X);
The value TBL (j) from the table TBL stored in the third storage device is obtained by using the value s (X) obtained by extracting the k term from the low-dimensional side of W (X) and the value j (X). (X), s (X)) is selected, and the second process of adding the TBL (j (X), s (X)) to GF (2 ^ n) to the W (X) is performed. A logical OR operator,
Shift means for performing a third process of shifting the addition result in GF (2 ^ n) by the exclusive OR operator to the right by k bits and storing it in the fourth storage device as W (X). And
The TBL (j (X), s (X)) includes a multiplication result j (X) * B (X) of the B (X) and the value j (X) of the k term and the M (X). Multiplication result t (X) * F (X) (k = 0, 1, X,..., X ^ (k-1) + X ^ (k-2) + ... + 1 ) Of GF (2 ^ n) j (X) * B (X) + t (X) * F (X) is the value of j (X) and s (X) = j (X) * B Stored in accordance with the value s (X) defined by (X) + t (X) * F (X) mod X ^ k
The first to third processes are repeated n / k times in the order of the first, second, and third processes, and the A (X) * B (X) * R (X) ^ (− 1 ) Modulus multiplication operation device for finding mod F (X), where addition (+) and multiplication (*) are addition and multiplication in Galois field GF (2 ^ n) apparatus. Polynomials A (X) and B (X) having only 0 and 1 as coefficients and n-th irreducible polynomial F (X) having only 0 and 1 as coefficients and a constant term of 1 ) For the remainder multiplication A (X) * B (X) * R (X) ^ (-1) mod F (X) (where R (X) = X ^ n) in GF (2 ^ n) Indefinite equation A (X) * B (X) + M (X) * F (X) = W (X) * M (X) of W (X) * R (X) where M (X) and W (X) are unknowns In the modular multiplication unit for obtaining W (X) by sequentially obtaining the value of k for each k term from the low-dimensional term,
A first storage device for storing the coefficient of the A (X);
A second storage device for storing the coefficient of B (X);
Table NTBL (j (X), s (X)) = (j (X) * B (X) + t (X) * F (X)-(j (X) * B (X) + t (X) * F) (X) mod X ^ k)) / X ^ k (where j (X) and s (X) are polynomials having k-1 or lower order coefficients with only 0 and 1 as coefficients. ) Is a third storage device that stores s (X) = j (X) * B (X) + t (X) * F (X) mod X ^ k),
A fourth storage device that initially stores 0 as W (X);
A control device that performs a first process of storing in the fifth storage device as a fetch value j (X) in k terms from the low-dimensional side of A (X);
The value NTBL (j) from the table NTBL stored in the third storage device using the value s (X) obtained by extracting the k term from the low-dimensional side of W (X) and the value j (X). (X), s (X)) is selected, and the coefficient of the W (X) is shifted by k, so that the coefficient of the lower-order k term is set to 0 and then divided by X ^ k. Shift for performing the second process of adding the NTBL (j (X), s (X)) to GF (2 ^ n) to (X) and storing it in the fourth storage device as W (X) and means and the exclusive oR calculator,
The NTBL (j (X), s (X)) includes a multiplication result j (X) * B (X) of the B (X) and the value j (X) of the k term and the M (X). Multiplication result t (X) * F (X) (k = 0, 1, X,..., X ^ (k-1) + X ^ (k-2) + ... + 1 ) Of GF (2 ^ n) in j (X) * B (X) + t (X) * F (X), where the k term is 0 from the lower dimension side and the value divided by X ^ k is Stored in accordance with the value of (X) and the value s (X) defined by s (X) = j (X) * B (X) + t (X) * F (X) mod X ^ k,
The first and second processes are repeated n / k times in the order of the first and second processes, and the A (X) * B (X) * R (X) ^ (-1) mod F (X) is a modular multiplication operation device, wherein addition (+), subtraction (−), and multiplication (*) are addition, subtraction, and multiplication in a Galois field GF (2 ^ n). A remainder multiplication operation device.

Images